amadey | e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa

Analysis

max time kernel
152s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
31-03-2023 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe
Size

1.0MB
MD5

d6419ebd316ead612a957f2599de1861
SHA1

ae1e1d43701db5029ca80a0e41064c144bde52b7
SHA256

e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa
SHA512

c143bca377aeaf8b427e9fc83c5cc468f15e3b6dd24370eb8f22c379ffae480405b4698a2edaa1234b2c59ee549911c79a44e2389997e1a09becfb9d625635e1
SSDEEP

24576:LylHwLe/lzKVsBmUmHg0wfLAktrKNPheOue:+l9dzKVDU2l2kkAPUOu

Score

10^/10

amadey redline liba rosn discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

rosn

176.113.115.145:4125

Attributes

auth_value
050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

liba

176.113.115.145:4125

Attributes

auth_value
1a62e130767ad862d1fb9d7ab0115025

Extracted

Family

amadey

Version

3.69

193.233.20.36/joomla/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

tz8168.exev7059cF.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	tz8168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	tz8168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	tz8168.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	v7059cF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	v7059cF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	v7059cF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	tz8168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	tz8168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	tz8168.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	v7059cF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	v7059cF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	v7059cF.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 19 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3708-211-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-213-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-210-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-215-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-217-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-219-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-221-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-223-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-225-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-227-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-229-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-231-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-233-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-235-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-237-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-239-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-241-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-243-0x0000000004A70000-0x0000000004AAF000-memory.dmp	family_redline
behavioral1/memory/3708-1128-0x0000000004B30000-0x0000000004B40000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

y10NU83.exeoneetx.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	y10NU83.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	oneetx.exe

Executes dropped EXE 11 IoCs

Processes:

zap3401.exezap7708.exezap3694.exetz8168.exev7059cF.exew61hy78.exexvYYK87.exey10NU83.exeoneetx.exeoneetx.exeoneetx.exe

pid	process
4380	zap3401.exe
3348	zap7708.exe
836	zap3694.exe
1588	tz8168.exe
3100	v7059cF.exe
3708	w61hy78.exe
4416	xvYYK87.exe
3284	y10NU83.exe
4476	oneetx.exe
3576	oneetx.exe
312	oneetx.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3172 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3172	rundll32.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

v7059cF.exetz8168.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	v7059cF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	v7059cF.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	tz8168.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

zap7708.exezap3694.exee4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exezap3401.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap7708.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	zap7708.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3694.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	zap3694.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	zap3401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	zap3401.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2184 3100 WerFault.exe v7059cF.exe
4944 3708 WerFault.exe w61hy78.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3584 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

tz8168.exev7059cF.exew61hy78.exexvYYK87.exe

pid process

1588 tz8168.exe
1588 tz8168.exe
3100 v7059cF.exe
3100 v7059cF.exe
3708 w61hy78.exe
3708 w61hy78.exe
4416 xvYYK87.exe
4416 xvYYK87.exe

pid	pid_target	process	target process
2184	3100	WerFault.exe	v7059cF.exe
4944	3708	WerFault.exe	w61hy78.exe

pid	process
3584	schtasks.exe

pid	process
1588	tz8168.exe
1588	tz8168.exe
3100	v7059cF.exe
3100	v7059cF.exe
3708	w61hy78.exe
3708	w61hy78.exe
4416	xvYYK87.exe
4416	xvYYK87.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

tz8168.exev7059cF.exew61hy78.exexvYYK87.exe

description	pid	process
Token: SeDebugPrivilege	1588	tz8168.exe
Token: SeDebugPrivilege	3100	v7059cF.exe
Token: SeDebugPrivilege	3708	w61hy78.exe
Token: SeDebugPrivilege	4416	xvYYK87.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

y10NU83.exe

pid process

3284 y10NU83.exe

pid	process
3284	y10NU83.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exezap3401.exezap7708.exezap3694.exey10NU83.exeoneetx.execmd.exe

description	pid	process	target process
PID 2172 wrote to memory of 4380	2172	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe	zap3401.exe
PID 2172 wrote to memory of 4380	2172	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe	zap3401.exe
PID 2172 wrote to memory of 4380	2172	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe	zap3401.exe
PID 4380 wrote to memory of 3348	4380	zap3401.exe	zap7708.exe
PID 4380 wrote to memory of 3348	4380	zap3401.exe	zap7708.exe
PID 4380 wrote to memory of 3348	4380	zap3401.exe	zap7708.exe
PID 3348 wrote to memory of 836	3348	zap7708.exe	zap3694.exe
PID 3348 wrote to memory of 836	3348	zap7708.exe	zap3694.exe
PID 3348 wrote to memory of 836	3348	zap7708.exe	zap3694.exe
PID 836 wrote to memory of 1588	836	zap3694.exe	tz8168.exe
PID 836 wrote to memory of 1588	836	zap3694.exe	tz8168.exe
PID 836 wrote to memory of 3100	836	zap3694.exe	v7059cF.exe
PID 836 wrote to memory of 3100	836	zap3694.exe	v7059cF.exe
PID 836 wrote to memory of 3100	836	zap3694.exe	v7059cF.exe
PID 3348 wrote to memory of 3708	3348	zap7708.exe	w61hy78.exe
PID 3348 wrote to memory of 3708	3348	zap7708.exe	w61hy78.exe
PID 3348 wrote to memory of 3708	3348	zap7708.exe	w61hy78.exe
PID 4380 wrote to memory of 4416	4380	zap3401.exe	xvYYK87.exe
PID 4380 wrote to memory of 4416	4380	zap3401.exe	xvYYK87.exe
PID 4380 wrote to memory of 4416	4380	zap3401.exe	xvYYK87.exe
PID 2172 wrote to memory of 3284	2172	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe	y10NU83.exe
PID 2172 wrote to memory of 3284	2172	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe	y10NU83.exe
PID 2172 wrote to memory of 3284	2172	e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe	y10NU83.exe
PID 3284 wrote to memory of 4476	3284	y10NU83.exe	oneetx.exe
PID 3284 wrote to memory of 4476	3284	y10NU83.exe	oneetx.exe
PID 3284 wrote to memory of 4476	3284	y10NU83.exe	oneetx.exe
PID 4476 wrote to memory of 3584	4476	oneetx.exe	schtasks.exe
PID 4476 wrote to memory of 3584	4476	oneetx.exe	schtasks.exe
PID 4476 wrote to memory of 3584	4476	oneetx.exe	schtasks.exe
PID 4476 wrote to memory of 3928	4476	oneetx.exe	cmd.exe
PID 4476 wrote to memory of 3928	4476	oneetx.exe	cmd.exe
PID 4476 wrote to memory of 3928	4476	oneetx.exe	cmd.exe
PID 3928 wrote to memory of 636	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 636	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 636	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 2796	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 2796	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 2796	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 4844	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 4844	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 4844	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 4512	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 4512	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 4512	3928	cmd.exe	cmd.exe
PID 3928 wrote to memory of 4104	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 4104	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 4104	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 3448	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 3448	3928	cmd.exe	cacls.exe
PID 3928 wrote to memory of 3448	3928	cmd.exe	cacls.exe
PID 4476 wrote to memory of 3172	4476	oneetx.exe	rundll32.exe
PID 4476 wrote to memory of 3172	4476	oneetx.exe	rundll32.exe
PID 4476 wrote to memory of 3172	4476	oneetx.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe
"C:\Users\Admin\AppData\Local\Temp\e4cf4b900d9e9bbb36b9021a85218569e205e828fc541941ad66c7015517a9fa.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2172

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3401.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3401.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4380

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7708.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7708.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3694.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3694.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:836

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8168.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8168.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7059cF.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7059cF.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3100 -s 1084
6⤵
- Program crash
PID:2184

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61hy78.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61hy78.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 1860
5⤵
- Program crash
PID:4944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvYYK87.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvYYK87.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y10NU83.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y10NU83.exe
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe" /F
4⤵
- Creates scheduled task(s)
PID:3584

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\c5d2db5804" /P "Admin:N"&&CACLS "..\c5d2db5804" /P "Admin:R" /E&&Exit
4⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:636

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
5⤵
PID:2796

C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
5⤵
PID:4844

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
5⤵
PID:4512

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:N"
5⤵
PID:4104

C:\Windows\SysWOW64\cacls.exe
CACLS "..\c5d2db5804" /P "Admin:R" /E
5⤵
PID:3448

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
4⤵
- Loads dropped DLL
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3100 -ip 3100
1⤵
PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3708 -ip 3708
1⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
1⤵
- Executes dropped EXE
PID:312

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y10NU83.exe
Filesize
236KB

MD5
a0359ff98b66f47da4f50bcded64f1a8

SHA1
ee42a2bf254c121d7f4b0fc1232ead5596af7cf2

SHA256
92e85bf6ef687bbb2570e44cffcc0b230d9cbd83bbdf31761be36968409e5a1b

SHA512
6fe3df4b133877e51484ca5ea9ab68d00c6799387a91ca6fe0ae1c453d9bd5f364959a54dcec64a399f025ca15949b860391b06fbcc8aa8164d6b5607843908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y10NU83.exe
Filesize
236KB

MD5
a0359ff98b66f47da4f50bcded64f1a8

SHA1
ee42a2bf254c121d7f4b0fc1232ead5596af7cf2

SHA256
92e85bf6ef687bbb2570e44cffcc0b230d9cbd83bbdf31761be36968409e5a1b

SHA512
6fe3df4b133877e51484ca5ea9ab68d00c6799387a91ca6fe0ae1c453d9bd5f364959a54dcec64a399f025ca15949b860391b06fbcc8aa8164d6b5607843908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3401.exe
Filesize
844KB

MD5
ffadd519d6d4d8edd74d186a09e121c4

SHA1
52f7e5862b2de839c2c7e77edc36e87813adb0ed

SHA256
5a0b32225c0bed9c73d0d220ad3b7953277f3a47914f67789b8ea00aff733b1c

SHA512
02e8be6f3c67f770250dd7f6169c0266b7df0df2fb61be2008355f8a0009b365a2db76be5860e450617058f9a30b807563fce46ae48ab67e2d43ebcedceec34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zap3401.exe
Filesize
844KB

MD5
ffadd519d6d4d8edd74d186a09e121c4

SHA1
52f7e5862b2de839c2c7e77edc36e87813adb0ed

SHA256
5a0b32225c0bed9c73d0d220ad3b7953277f3a47914f67789b8ea00aff733b1c

SHA512
02e8be6f3c67f770250dd7f6169c0266b7df0df2fb61be2008355f8a0009b365a2db76be5860e450617058f9a30b807563fce46ae48ab67e2d43ebcedceec34b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvYYK87.exe
Filesize
175KB

MD5
7feb0140dcaf95b0931422f7f7a1cd05

SHA1
adfb900b095a0122e53b46c676e5b4d4b2e305c2

SHA256
f3837a195607cfcf14ac12c85ff5f128659d72869c801050737fc99e5d76b717

SHA512
c412cd9b9fd82e7eba6b6848e82c4d26e3bbc34aa7fd33b6a1619bafb44a3fd1d8f1cab811f9ab47a060db6af2284b189b75d969080d7fefb55c866616e703e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\xvYYK87.exe
Filesize
175KB

MD5
7feb0140dcaf95b0931422f7f7a1cd05

SHA1
adfb900b095a0122e53b46c676e5b4d4b2e305c2

SHA256
f3837a195607cfcf14ac12c85ff5f128659d72869c801050737fc99e5d76b717

SHA512
c412cd9b9fd82e7eba6b6848e82c4d26e3bbc34aa7fd33b6a1619bafb44a3fd1d8f1cab811f9ab47a060db6af2284b189b75d969080d7fefb55c866616e703e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7708.exe
Filesize
702KB

MD5
fea2fd5f355e6385acdc61a096edad93

SHA1
3371fe5614f7fcb16fd2032e68985014f6959584

SHA256
d9dadd824eb8a497c3a3ab7ffadeb00969ab2ff60f740a61544fd7bd4dc4c9f8

SHA512
69f08b95a647663037f765241865fbc8a744f08725af05eea87a7aa80543b5cc2488bb1dc5e58a9a4d9a3cb637860af6df366850fc0a2155ea610181b359249f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\zap7708.exe
Filesize
702KB

MD5
fea2fd5f355e6385acdc61a096edad93

SHA1
3371fe5614f7fcb16fd2032e68985014f6959584

SHA256
d9dadd824eb8a497c3a3ab7ffadeb00969ab2ff60f740a61544fd7bd4dc4c9f8

SHA512
69f08b95a647663037f765241865fbc8a744f08725af05eea87a7aa80543b5cc2488bb1dc5e58a9a4d9a3cb637860af6df366850fc0a2155ea610181b359249f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61hy78.exe
Filesize
349KB

MD5
5aff21a34dffeb74544a2a6d1beccd2a

SHA1
8a530727d6946c0e463b6a4e74dd55aeded125c0

SHA256
065f1394207991f0ec9a6896ce5790c768865ce592ad3af8a32ca81b776ee322

SHA512
0811594608f1389e09547f7b2273133f1e388fa7739b62367868753a83cbe18a5c0e63ba55f835648edfc80953fd21b38f91ca8a3567603ce4b1294b1109dd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\w61hy78.exe
Filesize
349KB

MD5
5aff21a34dffeb74544a2a6d1beccd2a

SHA1
8a530727d6946c0e463b6a4e74dd55aeded125c0

SHA256
065f1394207991f0ec9a6896ce5790c768865ce592ad3af8a32ca81b776ee322

SHA512
0811594608f1389e09547f7b2273133f1e388fa7739b62367868753a83cbe18a5c0e63ba55f835648edfc80953fd21b38f91ca8a3567603ce4b1294b1109dd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3694.exe
Filesize
348KB

MD5
ad212f051072663e6d942d5f4ed6b78c

SHA1
9f7fb2d52db1f1a24e99ca30b2b011827e95b77f

SHA256
460fdeb0b127312034fdffaf86d9dca16e0c55267e01b43834816bc57311cffd

SHA512
36ea678f305da568719cf98cc119687f0c37b2d3a95fbf79eaeae74f12a319cc71aec9034bcfcf38e56c70689f65c9b5ac8735be1888df8bca2391d85655f227

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\zap3694.exe
Filesize
348KB

MD5
ad212f051072663e6d942d5f4ed6b78c

SHA1
9f7fb2d52db1f1a24e99ca30b2b011827e95b77f

SHA256
460fdeb0b127312034fdffaf86d9dca16e0c55267e01b43834816bc57311cffd

SHA512
36ea678f305da568719cf98cc119687f0c37b2d3a95fbf79eaeae74f12a319cc71aec9034bcfcf38e56c70689f65c9b5ac8735be1888df8bca2391d85655f227

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8168.exe
Filesize
11KB

MD5
5322e74992235c1628bb7249cdfbd547

SHA1
11da110e044685e9d316fd395435b03f5756291a

SHA256
13e9847149ef2ffe50fbfee408f0de48f5b764e7a2965f57a3f08cd33479bde0

SHA512
431a9d62c23d60c5c70357fca559dce421fd2dfe46876e67e2a9c35baebae426b21ab276b832c37074917aca9bb8969ad3057eee4b4202ec73ee65875b89491c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\tz8168.exe
Filesize
11KB

MD5
5322e74992235c1628bb7249cdfbd547

SHA1
11da110e044685e9d316fd395435b03f5756291a

SHA256
13e9847149ef2ffe50fbfee408f0de48f5b764e7a2965f57a3f08cd33479bde0

SHA512
431a9d62c23d60c5c70357fca559dce421fd2dfe46876e67e2a9c35baebae426b21ab276b832c37074917aca9bb8969ad3057eee4b4202ec73ee65875b89491c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7059cF.exe
Filesize
292KB

MD5
5aa1bac475b22196814cb3c3f731a8af

SHA1
7a5f4f1491abbd8a96d1f89afdee72b86307d6c0

SHA256
c4593725fc2f4895678b581f80497d65338d84acb2df1687b43c8cdb8dee7342

SHA512
523e1c8588f0844ff2b4e93ab495dcaa647808121aa1ce70f1d9145f48e7805bac620a4bacc35cab8951b549565a1dbc6dfba00a0ebb634b360e8baa680159eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\v7059cF.exe
Filesize
292KB

MD5
5aa1bac475b22196814cb3c3f731a8af

SHA1
7a5f4f1491abbd8a96d1f89afdee72b86307d6c0

SHA256
c4593725fc2f4895678b581f80497d65338d84acb2df1687b43c8cdb8dee7342

SHA512
523e1c8588f0844ff2b4e93ab495dcaa647808121aa1ce70f1d9145f48e7805bac620a4bacc35cab8951b549565a1dbc6dfba00a0ebb634b360e8baa680159eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a0359ff98b66f47da4f50bcded64f1a8

SHA1
ee42a2bf254c121d7f4b0fc1232ead5596af7cf2

SHA256
92e85bf6ef687bbb2570e44cffcc0b230d9cbd83bbdf31761be36968409e5a1b

SHA512
6fe3df4b133877e51484ca5ea9ab68d00c6799387a91ca6fe0ae1c453d9bd5f364959a54dcec64a399f025ca15949b860391b06fbcc8aa8164d6b5607843908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a0359ff98b66f47da4f50bcded64f1a8

SHA1
ee42a2bf254c121d7f4b0fc1232ead5596af7cf2

SHA256
92e85bf6ef687bbb2570e44cffcc0b230d9cbd83bbdf31761be36968409e5a1b

SHA512
6fe3df4b133877e51484ca5ea9ab68d00c6799387a91ca6fe0ae1c453d9bd5f364959a54dcec64a399f025ca15949b860391b06fbcc8aa8164d6b5607843908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a0359ff98b66f47da4f50bcded64f1a8

SHA1
ee42a2bf254c121d7f4b0fc1232ead5596af7cf2

SHA256
92e85bf6ef687bbb2570e44cffcc0b230d9cbd83bbdf31761be36968409e5a1b

SHA512
6fe3df4b133877e51484ca5ea9ab68d00c6799387a91ca6fe0ae1c453d9bd5f364959a54dcec64a399f025ca15949b860391b06fbcc8aa8164d6b5607843908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a0359ff98b66f47da4f50bcded64f1a8

SHA1
ee42a2bf254c121d7f4b0fc1232ead5596af7cf2

SHA256
92e85bf6ef687bbb2570e44cffcc0b230d9cbd83bbdf31761be36968409e5a1b

SHA512
6fe3df4b133877e51484ca5ea9ab68d00c6799387a91ca6fe0ae1c453d9bd5f364959a54dcec64a399f025ca15949b860391b06fbcc8aa8164d6b5607843908b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5d2db5804\oneetx.exe
Filesize
236KB

MD5
a0359ff98b66f47da4f50bcded64f1a8

SHA1
ee42a2bf254c121d7f4b0fc1232ead5596af7cf2

SHA256
92e85bf6ef687bbb2570e44cffcc0b230d9cbd83bbdf31761be36968409e5a1b

SHA512
6fe3df4b133877e51484ca5ea9ab68d00c6799387a91ca6fe0ae1c453d9bd5f364959a54dcec64a399f025ca15949b860391b06fbcc8aa8164d6b5607843908b

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
Filesize
89KB

MD5
6a4c2f2b6e1bbce94b4d00e91e690d0d

SHA1
f61021fd82dabd2ccde8d1e46736b1a9f4e4ce57

SHA256
8b6af7cc4fc3bcb4172a2bf4a7727175ba48980bcc808e56ce7744d28af60a8f

SHA512
8c9154748e410b71942c5316b1bdcc5590f7f0da33c0139fb4c86087a78b8c16ab76f1fa724524169e0f3d1a3d1f138dfd60979ee3e4b6487a66532879371f01

Download Submit
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1588-161-0x00000000000D0000-0x00000000000DA000-memory.dmp

Filesize
40KB

Download
memory/3100-181-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-187-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-189-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-191-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-193-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-195-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-197-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-198-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3100-199-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3100-200-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3100-201-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3100-203-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3100-204-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3100-205-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/3100-185-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-183-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-179-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-177-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-175-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-173-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-171-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-170-0x00000000025E0000-0x00000000025F2000-memory.dmp

Filesize
72KB

Download
memory/3100-169-0x0000000004A80000-0x0000000005024000-memory.dmp

Filesize
5.6MB

Download
memory/3100-167-0x0000000000730000-0x000000000075D000-memory.dmp

Filesize
180KB

Download
memory/3100-168-0x0000000002480000-0x0000000002490000-memory.dmp

Filesize
64KB

Download
memory/3708-217-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-1129-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-235-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-237-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-239-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-241-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-243-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-254-0x0000000002110000-0x000000000215B000-memory.dmp

Filesize
300KB

Download
memory/3708-255-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-257-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-259-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-1120-0x0000000005230000-0x0000000005848000-memory.dmp

Filesize
6.1MB

Download
memory/3708-1121-0x00000000058B0000-0x00000000059BA000-memory.dmp

Filesize
1.0MB

Download
memory/3708-1122-0x00000000059F0000-0x0000000005A02000-memory.dmp

Filesize
72KB

Download
memory/3708-1123-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-1124-0x0000000005A10000-0x0000000005A4C000-memory.dmp

Filesize
240KB

Download
memory/3708-1125-0x0000000005D00000-0x0000000005D92000-memory.dmp

Filesize
584KB

Download
memory/3708-1126-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/3708-1128-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-233-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-1130-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-1131-0x0000000004B30000-0x0000000004B40000-memory.dmp

Filesize
64KB

Download
memory/3708-1132-0x00000000079C0000-0x0000000007A36000-memory.dmp

Filesize
472KB

Download
memory/3708-1133-0x0000000007A50000-0x0000000007AA0000-memory.dmp

Filesize
320KB

Download
memory/3708-1134-0x0000000007AB0000-0x0000000007C72000-memory.dmp

Filesize
1.8MB

Download
memory/3708-1135-0x0000000007C80000-0x00000000081AC000-memory.dmp

Filesize
5.2MB

Download
memory/3708-211-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-213-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-210-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-231-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-229-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-227-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-225-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-223-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-221-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-219-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/3708-215-0x0000000004A70000-0x0000000004AAF000-memory.dmp

Filesize
252KB

Download
memory/4416-1143-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4416-1142-0x0000000004E20000-0x0000000004E30000-memory.dmp

Filesize
64KB

Download
memory/4416-1141-0x00000000001C0000-0x00000000001F2000-memory.dmp

Filesize
200KB

Download